On 18/05/14 12:00 Chris Green cl@isbd.net wrote:
... What I'm thinking of doing to improve my security (or at least reduce the likelihood of a break-in doing much damage) is to have a dedicated 'dmz' server on the LAN/WAN between the Speedtouch router and the 2820n's WAN port. I can then open up the appropriate ports on *that* system to provide access from the outside world but if someone breaks in they won't be able to see anything much except that machine and a couple of routers.
This would be a "good thing" (tm), provided there are appropriate firewall settings on the 2820 that prevent connections from the DMZ back into the house network (ie: treat the DMZ as the internet from the house network point of view).
My question is about what private IP address ranges to use, currently they're as follows:-
2820n - 192.168.1.1 This has *everything* hanging on it, backup NAS, family computers, media boxes, etc. Speedtouch - 192.168.13.254 2820n WAN - 192.168.13.65 (assigned by Speedtouch DHCP) New dmz computer would be added to this LANWould it be worth changing things around so that the Speedtouch LAN is 192.168.1.x (the almost universal default for home LANs) and the 2820n one is 192.168.13.0, or even 10.0.0.0 or 172.16.0.0 so that an intruder is less likely to guess that there's another LAN to look for? I know this is 'security by obscurity' to some extent but it's no effort really except some minor configuration changes to some static addresses and DHCP servers so if it offers any advantage it's probably worth doing.
Prior knowledge of internal network addressing may help someone prepare a drive-by attack on your 2820 via your browser, otherwise there won't be much extra protection once they are on the DMZ host and can see all the network traffic passing by.
Phil